virus logo Virus

W32/Injector.DVFA!tr

description-logoAnalysis



W32/Injector.DVFA!tr is a generic detection for a Downloader trojan that may download Loki or Pony password stealer. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop the following file:
    • %AppData%\[Random]\[Random].exe: This file is a copy of the original malware itself.
    • %Startup%\[Random].vbs:This file will serve as an Autostart for the original malware or the copy of the original malware.
    • %Temp%\[Random].bat: This file is dropped in %Temp% folder to delete the malware and itself from the host machine after execution.

  • This malware may connect to any of the following remote sites(s):
    • hxxp://www.schwingsteterindi{Removed}.com/small/five/fre.php
    • hxxp://u0462189.cp.regruhostin{Removed}.ru/Private_ftps/ken/fre.php
    • hxxp://zinnywend{Removed}.cf/joey/five/fre.php
    • hxxp://suplusbles{Removed}.com/9e8eb29207ac/works/fre.php
    • hxxp://cronwtyre{Removed}.com/kele/five/fre.php
    • hxxp://systernai{Removed}.com/gidi/five/fre.php
    • hxxp://suplusbles{Removed}.com/workers/fre.php
    • hxxp://dectexl{Removed}.ru/eddy/fred.php
    • hxxp://myp0nysit{Removed}.ru/shit.exe
    • school-housedirec{Removed}.ga
    • hxxp://hillpo{Removed}.ml/matt/coup/shit.exe
    • adimm{Removed}.xyz
    • hxxp://www.fourwaysgrou{Removed}.com/vsnl/panel/vsnl.exe

  • The malware may create the following registry entry to automatically run the dropped copy of itself during the startup:
    • HKCU\Software\Microsoft\Windows\Currentversion\Run
      • [Random] = "%AppData%\[Random]\[Random].exe"

  • It may inject codes into the following process:
    • svchost.exe

  • The original copy of the malware may also be deleted after execution.



recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-05-03 68.25100 Sig Added
2019-05-03 68.25000 Sig Updated
ID 3733652
Released Feb 22, 2018
Description
Updated		 Apr 05, 2012
Aliases Trojan-FOTS!A21E322D2173 trojan, Mal/Fareit-Q, TROJ_GEN.R058C0OB918, W32/Injector.UJPR-1263, Trojan.Agent.CULM, Trojan.PWS.Stealer.21373
Platform Profile Win32 file format / PE 32 bit